none
Enabling FIM Portal Access for Normal User Accounts RRS feed

  • Question

  • Hi There,

    Good Morning/evening,

    Normal users can access FIM Portal site only when provisioned users from Active Directory to FIM Portal by inbound synchronization rule, but when users provisioned from FIM Portal to Active Directory by Outbound Synchronization rule, normal users cannot access the FIM Portal.

    In both activity we are able to populate objectsid,accountname & domain so don’t know exactly only users provisioned back to FIM Portal with objectsid,accountname & domain from AD can access the FIM Portal.

    Could you please help me on this why users can access only when provisioned from Active Directory to FIM Portal, but not able populate objestSID when provision users from FIM Portal to Active Directory.

    getting below error,

    Thanks & Regards

    Veerappa Kammar

    Tuesday, September 17, 2013 9:58 AM

Answers

  • for more info and troubleshooting please see:

    http://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/

    please let me know it that helped


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    Tuesday, October 1, 2013 10:31 AM

All replies

  • Hello,

    does the Users who are NOT able to logon to Portal have an ObjectSID in Portal.

    It seems to me that there is a Problem with flowing the objectSID to FIMPortal when users are created in Portal.

    You should check this first.


    Peter Stapf - Doeres AG - http://www.doeres.com

    Tuesday, September 17, 2013 12:28 PM
  • Hi,

    As per my understanding the logic for this is like:

    FIM authenticate user via Active Directory using ObjectSID attribute which we are getting from Active Directory.So, If a user is present on both Metaverse & Portal but doesn't have ObjectSID and Domain then user will not be able to login at Portal or able to Password Reset.

    So, If you want to provision user from FIM Portal to AD then You need to flow ObjectSID and Domain name back into FIM from AD using INBOUND Rule or May be Direct Flow.

    I hope this will clear your doubts regarding User provisioning.

    Thanks~ 

    Giriraj Singh


    • Edited by GirirajSingh Tuesday, September 17, 2013 2:06 PM improved
    • Proposed as answer by Varun Kohli Wednesday, October 9, 2013 11:30 PM
    Tuesday, September 17, 2013 2:03 PM
  • Hey Thanks a lot for you info,

    yes I have did already in dev. environment I can able to access fim portal only when users are provisioned from Active Directory to fim portal by inbound synchronization rule.

    but my question when users provisioned from FIM Portal to Active Directory by inbound & outbound sync rule, in this I can see objectsidpopulated but cannot access the FIM Portal.

    Please see the below screenshot for synchronization rule.

    Thanks

    Veerappa

    Wednesday, September 18, 2013 11:37 AM
  • I still think there ist some issue that objectSID does not com into Portal back if you create user in Portal.

    So for a user which cannot Login into Portal (which is created in Portal):

    1. Does this user have an ObjectSID in MV ?

    2. Does this user have an ObjectSID in Portal ?

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Wednesday, September 18, 2013 11:47 AM
  • Hi,

    As peter suggested you should verify the attribute flow into FIMMA for person object.

    mventry    -->  Data source Entry

    ObjectSID -->  ObjectSID

    I hope this will help.

    Thanks~

    Giriraj Singh Bhamu

    Thursday, September 19, 2013 9:20 PM
  • Check the precedence of the flow for the object SID. This could cause the SID to flow to the MV but not to the portal.
    Friday, September 20, 2013 12:29 PM
  • Hi Giriraj,

    Thanks lot for your suggestion I will test in my environment & let you know.

    Thanks

    Veerappa

    Monday, September 23, 2013 4:24 PM
  • Is the account that gets created in AD still saying that the password needs to be reset on next login when you are trying to access the portal? The users may need reset their password before accessing the portal in that case.

    Just a guess.

    Thanks,

    Sami

    Monday, September 23, 2013 7:31 PM
  • Yes we need to reset the password to login with FIM portal for users we exported to AD.

    Thanks

    Veerappa

    Tuesday, September 24, 2013 4:53 AM
  • Hi Giriraj,

    still am not able access FIM Portal if populating users from FIM Portal to Active Directory even though I added imported objectsid in FIMMA Management agent but working fine when populate users from Active Directory to FIM Portal.

    Thanks

    Veerappa

    Tuesday, September 24, 2013 5:14 AM
  • DisplayName is also a required attribute to be able to access the portal. Is that on the user accounts?

    Thanks,

    Sami

    Wednesday, September 25, 2013 6:59 PM
  • Hi sami,

    I have added displayname attribute also still also not able to access FIM Portal when exporting users from FIM Portal ton AD

    Thanks

    Veerappa

    Monday, September 30, 2013 5:24 PM
  • for more info and troubleshooting please see:

    http://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/

    please let me know it that helped


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    Tuesday, October 1, 2013 10:31 AM
  • Hi,

    Sorry for delayed response:

    So, I think you should check these all settings:

    1) DisplayName Flow All the way from AD to MV and MV to Portal.

    2) ObjectSID Flow All the way from AD to MV, MV to Portal and vice-versa.

    3) Domain Flow All the way from AD to MV, MV to Portal and vice-versa.

    And Your Users will be able to Login onto FIM Portal After:

    •  They are provisioned into AD.
    •  ADMA  DI+DS and FIM Export.

    And make sure the precedence for all these attributes.

    Thanks~

    Giriraj Singh Bhamu


    Tuesday, October 1, 2013 1:48 PM
  • have you actually checked for the user having problems if all required values are in place as required?

    If values are missing, what happens when you add those missing values manually without synching anything?

    Domain and accountname can be done trough the GUI

    for objectSID use the following script

    http://social.technet.microsoft.com/wiki/contents/articles/3614.how-to-use-powershell-to-fix-an-objectsid-on-an-fim-portal-object.aspx


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    Saturday, October 5, 2013 7:55 PM
  • Hi,

    Open the FIM connector and make sure objectSID,domain,accountName is present.

    Thanks

    Deepak

    Monday, October 7, 2013 9:49 PM